xref: /linux/security/apparmor/mount.c (revision 4b132aacb0768ac1e652cf517097ea6f237214b9)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor mediation of files
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2017 Canonical Ltd.
9  */
10 
11 #include <linux/fs.h>
12 #include <linux/mount.h>
13 #include <linux/namei.h>
14 #include <uapi/linux/mount.h>
15 
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/cred.h"
19 #include "include/domain.h"
20 #include "include/file.h"
21 #include "include/match.h"
22 #include "include/mount.h"
23 #include "include/path.h"
24 #include "include/policy.h"
25 
26 
27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
28 {
29 	if (flags & MS_RDONLY)
30 		audit_log_format(ab, "ro");
31 	else
32 		audit_log_format(ab, "rw");
33 	if (flags & MS_NOSUID)
34 		audit_log_format(ab, ", nosuid");
35 	if (flags & MS_NODEV)
36 		audit_log_format(ab, ", nodev");
37 	if (flags & MS_NOEXEC)
38 		audit_log_format(ab, ", noexec");
39 	if (flags & MS_SYNCHRONOUS)
40 		audit_log_format(ab, ", sync");
41 	if (flags & MS_REMOUNT)
42 		audit_log_format(ab, ", remount");
43 	if (flags & MS_MANDLOCK)
44 		audit_log_format(ab, ", mand");
45 	if (flags & MS_DIRSYNC)
46 		audit_log_format(ab, ", dirsync");
47 	if (flags & MS_NOSYMFOLLOW)
48 		audit_log_format(ab, ", nosymfollow");
49 	if (flags & MS_NOATIME)
50 		audit_log_format(ab, ", noatime");
51 	if (flags & MS_NODIRATIME)
52 		audit_log_format(ab, ", nodiratime");
53 	if (flags & MS_BIND)
54 		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
55 	if (flags & MS_MOVE)
56 		audit_log_format(ab, ", move");
57 	if (flags & MS_SILENT)
58 		audit_log_format(ab, ", silent");
59 	if (flags & MS_POSIXACL)
60 		audit_log_format(ab, ", acl");
61 	if (flags & MS_UNBINDABLE)
62 		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
63 				 ", unbindable");
64 	if (flags & MS_PRIVATE)
65 		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
66 				 ", private");
67 	if (flags & MS_SLAVE)
68 		audit_log_format(ab, flags & MS_REC ? ", rslave" :
69 				 ", slave");
70 	if (flags & MS_SHARED)
71 		audit_log_format(ab, flags & MS_REC ? ", rshared" :
72 				 ", shared");
73 	if (flags & MS_RELATIME)
74 		audit_log_format(ab, ", relatime");
75 	if (flags & MS_I_VERSION)
76 		audit_log_format(ab, ", iversion");
77 	if (flags & MS_STRICTATIME)
78 		audit_log_format(ab, ", strictatime");
79 	if (flags & MS_NOUSER)
80 		audit_log_format(ab, ", nouser");
81 }
82 
83 /**
84  * audit_cb - call back for mount specific audit fields
85  * @ab: audit_buffer  (NOT NULL)
86  * @va: audit struct to audit values of  (NOT NULL)
87  */
88 static void audit_cb(struct audit_buffer *ab, void *va)
89 {
90 	struct common_audit_data *sa = va;
91 	struct apparmor_audit_data *ad = aad(sa);
92 
93 	if (ad->mnt.type) {
94 		audit_log_format(ab, " fstype=");
95 		audit_log_untrustedstring(ab, ad->mnt.type);
96 	}
97 	if (ad->mnt.src_name) {
98 		audit_log_format(ab, " srcname=");
99 		audit_log_untrustedstring(ab, ad->mnt.src_name);
100 	}
101 	if (ad->mnt.trans) {
102 		audit_log_format(ab, " trans=");
103 		audit_log_untrustedstring(ab, ad->mnt.trans);
104 	}
105 	if (ad->mnt.flags) {
106 		audit_log_format(ab, " flags=\"");
107 		audit_mnt_flags(ab, ad->mnt.flags);
108 		audit_log_format(ab, "\"");
109 	}
110 	if (ad->mnt.data) {
111 		audit_log_format(ab, " options=");
112 		audit_log_untrustedstring(ab, ad->mnt.data);
113 	}
114 }
115 
116 /**
117  * audit_mount - handle the auditing of mount operations
118  * @subj_cred: cred of the subject
119  * @profile: the profile being enforced  (NOT NULL)
120  * @op: operation being mediated (NOT NULL)
121  * @name: name of object being mediated (MAYBE NULL)
122  * @src_name: src_name of object being mediated (MAYBE_NULL)
123  * @type: type of filesystem (MAYBE_NULL)
124  * @trans: name of trans (MAYBE NULL)
125  * @flags: filesystem independent mount flags
126  * @data: filesystem mount flags
127  * @request: permissions requested
128  * @perms: the permissions computed for the request (NOT NULL)
129  * @info: extra information message (MAYBE NULL)
130  * @error: 0 if operation allowed else failure error code
131  *
132  * Returns: %0 or error on failure
133  */
134 static int audit_mount(const struct cred *subj_cred,
135 		       struct aa_profile *profile, const char *op,
136 		       const char *name, const char *src_name,
137 		       const char *type, const char *trans,
138 		       unsigned long flags, const void *data, u32 request,
139 		       struct aa_perms *perms, const char *info, int error)
140 {
141 	int audit_type = AUDIT_APPARMOR_AUTO;
142 	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
143 
144 	if (likely(!error)) {
145 		u32 mask = perms->audit;
146 
147 		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
148 			mask = 0xffff;
149 
150 		/* mask off perms that are not being force audited */
151 		request &= mask;
152 
153 		if (likely(!request))
154 			return 0;
155 		audit_type = AUDIT_APPARMOR_AUDIT;
156 	} else {
157 		/* only report permissions that were denied */
158 		request = request & ~perms->allow;
159 
160 		if (request & perms->kill)
161 			audit_type = AUDIT_APPARMOR_KILL;
162 
163 		/* quiet known rejects, assumes quiet and kill do not overlap */
164 		if ((request & perms->quiet) &&
165 		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
166 		    AUDIT_MODE(profile) != AUDIT_ALL)
167 			request &= ~perms->quiet;
168 
169 		if (!request)
170 			return error;
171 	}
172 
173 	ad.subj_cred = subj_cred;
174 	ad.name = name;
175 	ad.mnt.src_name = src_name;
176 	ad.mnt.type = type;
177 	ad.mnt.trans = trans;
178 	ad.mnt.flags = flags;
179 	if (data && (perms->audit & AA_AUDIT_DATA))
180 		ad.mnt.data = data;
181 	ad.info = info;
182 	ad.error = error;
183 
184 	return aa_audit(audit_type, profile, &ad, audit_cb);
185 }
186 
187 /**
188  * match_mnt_flags - Do an ordered match on mount flags
189  * @dfa: dfa to match against
190  * @state: state to start in
191  * @flags: mount flags to match against
192  *
193  * Mount flags are encoded as an ordered match. This is done instead of
194  * checking against a simple bitmask, to allow for logical operations
195  * on the flags.
196  *
197  * Returns: next state after flags match
198  */
199 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
200 				    unsigned long flags)
201 {
202 	unsigned int i;
203 
204 	for (i = 0; i <= 31 ; ++i) {
205 		if ((1 << i) & flags)
206 			state = aa_dfa_next(dfa, state, i + 1);
207 	}
208 
209 	return state;
210 }
211 
212 static const char * const mnt_info_table[] = {
213 	"match succeeded",
214 	"failed mntpnt match",
215 	"failed srcname match",
216 	"failed type match",
217 	"failed flags match",
218 	"failed data match",
219 	"failed perms check"
220 };
221 
222 /*
223  * Returns 0 on success else element that match failed in, this is the
224  * index into the mnt_info_table above
225  */
226 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
227 			const char *mntpnt, const char *devname,
228 			const char *type, unsigned long flags,
229 			void *data, bool binary, struct aa_perms *perms)
230 {
231 	aa_state_t state;
232 
233 	AA_BUG(!policy);
234 	AA_BUG(!policy->dfa);
235 	AA_BUG(!policy->perms);
236 	AA_BUG(!perms);
237 
238 	state = aa_dfa_match(policy->dfa, start, mntpnt);
239 	state = aa_dfa_null_transition(policy->dfa, state);
240 	if (!state)
241 		return 1;
242 
243 	if (devname)
244 		state = aa_dfa_match(policy->dfa, state, devname);
245 	state = aa_dfa_null_transition(policy->dfa, state);
246 	if (!state)
247 		return 2;
248 
249 	if (type)
250 		state = aa_dfa_match(policy->dfa, state, type);
251 	state = aa_dfa_null_transition(policy->dfa, state);
252 	if (!state)
253 		return 3;
254 
255 	state = match_mnt_flags(policy->dfa, state, flags);
256 	if (!state)
257 		return 4;
258 	*perms = *aa_lookup_perms(policy, state);
259 	if (perms->allow & AA_MAY_MOUNT)
260 		return 0;
261 
262 	/* only match data if not binary and the DFA flags data is expected */
263 	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
264 		state = aa_dfa_null_transition(policy->dfa, state);
265 		if (!state)
266 			return 4;
267 
268 		state = aa_dfa_match(policy->dfa, state, data);
269 		if (!state)
270 			return 5;
271 		*perms = *aa_lookup_perms(policy, state);
272 		if (perms->allow & AA_MAY_MOUNT)
273 			return 0;
274 	}
275 
276 	/* failed at perms check, don't confuse with flags match */
277 	return 6;
278 }
279 
280 
281 static int path_flags(struct aa_profile *profile, const struct path *path)
282 {
283 	AA_BUG(!profile);
284 	AA_BUG(!path);
285 
286 	return profile->path_flags |
287 		(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
288 }
289 
290 /**
291  * match_mnt_path_str - handle path matching for mount
292  * @subj_cred: cred of confined subject
293  * @profile: the confining profile
294  * @mntpath: for the mntpnt (NOT NULL)
295  * @buffer: buffer to be used to lookup mntpath
296  * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
297  * @type: string for the dev type (MAYBE NULL)
298  * @flags: mount flags to match
299  * @data: fs mount data (MAYBE NULL)
300  * @binary: whether @data is binary
301  * @devinfo: error str if (IS_ERR(@devname))
302  *
303  * Returns: 0 on success else error
304  */
305 static int match_mnt_path_str(const struct cred *subj_cred,
306 			      struct aa_profile *profile,
307 			      const struct path *mntpath, char *buffer,
308 			      const char *devname, const char *type,
309 			      unsigned long flags, void *data, bool binary,
310 			      const char *devinfo)
311 {
312 	struct aa_perms perms = { };
313 	const char *mntpnt = NULL, *info = NULL;
314 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
315 						    typeof(*rules), list);
316 	int pos, error;
317 
318 	AA_BUG(!profile);
319 	AA_BUG(!mntpath);
320 	AA_BUG(!buffer);
321 
322 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
323 		return 0;
324 
325 	error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
326 			     &mntpnt, &info, profile->disconnected);
327 	if (error)
328 		goto audit;
329 	if (IS_ERR(devname)) {
330 		error = PTR_ERR(devname);
331 		devname = NULL;
332 		info = devinfo;
333 		goto audit;
334 	}
335 
336 	error = -EACCES;
337 	pos = do_match_mnt(rules->policy,
338 			   rules->policy->start[AA_CLASS_MOUNT],
339 			   mntpnt, devname, type, flags, data, binary, &perms);
340 	if (pos) {
341 		info = mnt_info_table[pos];
342 		goto audit;
343 	}
344 	error = 0;
345 
346 audit:
347 	return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname,
348 			   type, NULL,
349 			   flags, data, AA_MAY_MOUNT, &perms, info, error);
350 }
351 
352 /**
353  * match_mnt - handle path matching for mount
354  * @subj_cred: cred of the subject
355  * @profile: the confining profile
356  * @path: for the mntpnt (NOT NULL)
357  * @buffer: buffer to be used to lookup mntpath
358  * @devpath: path devname/src_name (MAYBE NULL)
359  * @devbuffer: buffer to be used to lookup devname/src_name
360  * @type: string for the dev type (MAYBE NULL)
361  * @flags: mount flags to match
362  * @data: fs mount data (MAYBE NULL)
363  * @binary: whether @data is binary
364  *
365  * Returns: 0 on success else error
366  */
367 static int match_mnt(const struct cred *subj_cred,
368 		     struct aa_profile *profile, const struct path *path,
369 		     char *buffer, const struct path *devpath, char *devbuffer,
370 		     const char *type, unsigned long flags, void *data,
371 		     bool binary)
372 {
373 	const char *devname = NULL, *info = NULL;
374 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
375 						    typeof(*rules), list);
376 	int error = -EACCES;
377 
378 	AA_BUG(!profile);
379 	AA_BUG(devpath && !devbuffer);
380 
381 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
382 		return 0;
383 
384 	if (devpath) {
385 		error = aa_path_name(devpath, path_flags(profile, devpath),
386 				     devbuffer, &devname, &info,
387 				     profile->disconnected);
388 		if (error)
389 			devname = ERR_PTR(error);
390 	}
391 
392 	return match_mnt_path_str(subj_cred, profile, path, buffer, devname,
393 				  type, flags, data, binary, info);
394 }
395 
396 int aa_remount(const struct cred *subj_cred,
397 	       struct aa_label *label, const struct path *path,
398 	       unsigned long flags, void *data)
399 {
400 	struct aa_profile *profile;
401 	char *buffer = NULL;
402 	bool binary;
403 	int error;
404 
405 	AA_BUG(!label);
406 	AA_BUG(!path);
407 
408 	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
409 
410 	buffer = aa_get_buffer(false);
411 	if (!buffer)
412 		return -ENOMEM;
413 	error = fn_for_each_confined(label, profile,
414 			match_mnt(subj_cred, profile, path, buffer, NULL,
415 				  NULL, NULL,
416 				  flags, data, binary));
417 	aa_put_buffer(buffer);
418 
419 	return error;
420 }
421 
422 int aa_bind_mount(const struct cred *subj_cred,
423 		  struct aa_label *label, const struct path *path,
424 		  const char *dev_name, unsigned long flags)
425 {
426 	struct aa_profile *profile;
427 	char *buffer = NULL, *old_buffer = NULL;
428 	struct path old_path;
429 	int error;
430 
431 	AA_BUG(!label);
432 	AA_BUG(!path);
433 
434 	if (!dev_name || !*dev_name)
435 		return -EINVAL;
436 
437 	flags &= MS_REC | MS_BIND;
438 
439 	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
440 	if (error)
441 		return error;
442 
443 	buffer = aa_get_buffer(false);
444 	old_buffer = aa_get_buffer(false);
445 	error = -ENOMEM;
446 	if (!buffer || !old_buffer)
447 		goto out;
448 
449 	error = fn_for_each_confined(label, profile,
450 			match_mnt(subj_cred, profile, path, buffer, &old_path,
451 				  old_buffer, NULL, flags, NULL, false));
452 out:
453 	aa_put_buffer(buffer);
454 	aa_put_buffer(old_buffer);
455 	path_put(&old_path);
456 
457 	return error;
458 }
459 
460 int aa_mount_change_type(const struct cred *subj_cred,
461 			 struct aa_label *label, const struct path *path,
462 			 unsigned long flags)
463 {
464 	struct aa_profile *profile;
465 	char *buffer = NULL;
466 	int error;
467 
468 	AA_BUG(!label);
469 	AA_BUG(!path);
470 
471 	/* These are the flags allowed by do_change_type() */
472 	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
473 		  MS_UNBINDABLE);
474 
475 	buffer = aa_get_buffer(false);
476 	if (!buffer)
477 		return -ENOMEM;
478 	error = fn_for_each_confined(label, profile,
479 			match_mnt(subj_cred, profile, path, buffer, NULL,
480 				  NULL, NULL,
481 				  flags, NULL, false));
482 	aa_put_buffer(buffer);
483 
484 	return error;
485 }
486 
487 int aa_move_mount(const struct cred *subj_cred,
488 		  struct aa_label *label, const struct path *from_path,
489 		  const struct path *to_path)
490 {
491 	struct aa_profile *profile;
492 	char *to_buffer = NULL, *from_buffer = NULL;
493 	int error;
494 
495 	AA_BUG(!label);
496 	AA_BUG(!from_path);
497 	AA_BUG(!to_path);
498 
499 	to_buffer = aa_get_buffer(false);
500 	from_buffer = aa_get_buffer(false);
501 	error = -ENOMEM;
502 	if (!to_buffer || !from_buffer)
503 		goto out;
504 
505 	if (!our_mnt(from_path->mnt))
506 		/* moving a mount detached from the namespace */
507 		from_path = NULL;
508 	error = fn_for_each_confined(label, profile,
509 			match_mnt(subj_cred, profile, to_path, to_buffer,
510 				  from_path, from_buffer,
511 				  NULL, MS_MOVE, NULL, false));
512 out:
513 	aa_put_buffer(to_buffer);
514 	aa_put_buffer(from_buffer);
515 
516 	return error;
517 }
518 
519 int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label,
520 		      const struct path *path, const char *orig_name)
521 {
522 	struct path old_path;
523 	int error;
524 
525 	if (!orig_name || !*orig_name)
526 		return -EINVAL;
527 	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
528 	if (error)
529 		return error;
530 
531 	error = aa_move_mount(subj_cred, label, &old_path, path);
532 	path_put(&old_path);
533 
534 	return error;
535 }
536 
537 int aa_new_mount(const struct cred *subj_cred, struct aa_label *label,
538 		 const char *dev_name, const struct path *path,
539 		 const char *type, unsigned long flags, void *data)
540 {
541 	struct aa_profile *profile;
542 	char *buffer = NULL, *dev_buffer = NULL;
543 	bool binary = true;
544 	int error;
545 	int requires_dev = 0;
546 	struct path tmp_path, *dev_path = NULL;
547 
548 	AA_BUG(!label);
549 	AA_BUG(!path);
550 
551 	if (type) {
552 		struct file_system_type *fstype;
553 
554 		fstype = get_fs_type(type);
555 		if (!fstype)
556 			return -ENODEV;
557 		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
558 		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
559 		put_filesystem(fstype);
560 
561 		if (requires_dev) {
562 			if (!dev_name || !*dev_name)
563 				return -ENOENT;
564 
565 			error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
566 			if (error)
567 				return error;
568 			dev_path = &tmp_path;
569 		}
570 	}
571 
572 	buffer = aa_get_buffer(false);
573 	if (!buffer) {
574 		error = -ENOMEM;
575 		goto out;
576 	}
577 	if (dev_path) {
578 		dev_buffer = aa_get_buffer(false);
579 		if (!dev_buffer) {
580 			error = -ENOMEM;
581 			goto out;
582 		}
583 		error = fn_for_each_confined(label, profile,
584 				match_mnt(subj_cred, profile, path, buffer,
585 					  dev_path, dev_buffer,
586 				  type, flags, data, binary));
587 	} else {
588 		error = fn_for_each_confined(label, profile,
589 				match_mnt_path_str(subj_cred, profile, path,
590 					buffer, dev_name,
591 					type, flags, data, binary, NULL));
592 	}
593 
594 out:
595 	aa_put_buffer(buffer);
596 	aa_put_buffer(dev_buffer);
597 	if (dev_path)
598 		path_put(dev_path);
599 
600 	return error;
601 }
602 
603 static int profile_umount(const struct cred *subj_cred,
604 			  struct aa_profile *profile, const struct path *path,
605 			  char *buffer)
606 {
607 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
608 						    typeof(*rules), list);
609 	struct aa_perms perms = { };
610 	const char *name = NULL, *info = NULL;
611 	aa_state_t state;
612 	int error;
613 
614 	AA_BUG(!profile);
615 	AA_BUG(!path);
616 
617 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
618 		return 0;
619 
620 	error = aa_path_name(path, path_flags(profile, path), buffer, &name,
621 			     &info, profile->disconnected);
622 	if (error)
623 		goto audit;
624 
625 	state = aa_dfa_match(rules->policy->dfa,
626 			     rules->policy->start[AA_CLASS_MOUNT],
627 			     name);
628 	perms = *aa_lookup_perms(rules->policy, state);
629 	if (AA_MAY_UMOUNT & ~perms.allow)
630 		error = -EACCES;
631 
632 audit:
633 	return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
634 			   NULL, 0, NULL,
635 			   AA_MAY_UMOUNT, &perms, info, error);
636 }
637 
638 int aa_umount(const struct cred *subj_cred, struct aa_label *label,
639 	      struct vfsmount *mnt, int flags)
640 {
641 	struct aa_profile *profile;
642 	char *buffer = NULL;
643 	int error;
644 	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
645 
646 	AA_BUG(!label);
647 	AA_BUG(!mnt);
648 
649 	buffer = aa_get_buffer(false);
650 	if (!buffer)
651 		return -ENOMEM;
652 
653 	error = fn_for_each_confined(label, profile,
654 			profile_umount(subj_cred, profile, &path, buffer));
655 	aa_put_buffer(buffer);
656 
657 	return error;
658 }
659 
660 /* helper fn for transition on pivotroot
661  *
662  * Returns: label for transition or ERR_PTR. Does not return NULL
663  */
664 static struct aa_label *build_pivotroot(const struct cred *subj_cred,
665 					struct aa_profile *profile,
666 					const struct path *new_path,
667 					char *new_buffer,
668 					const struct path *old_path,
669 					char *old_buffer)
670 {
671 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
672 						    typeof(*rules), list);
673 	const char *old_name, *new_name = NULL, *info = NULL;
674 	const char *trans_name = NULL;
675 	struct aa_perms perms = { };
676 	aa_state_t state;
677 	int error;
678 
679 	AA_BUG(!profile);
680 	AA_BUG(!new_path);
681 	AA_BUG(!old_path);
682 
683 	if (profile_unconfined(profile) ||
684 	    !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
685 		return aa_get_newest_label(&profile->label);
686 
687 	error = aa_path_name(old_path, path_flags(profile, old_path),
688 			     old_buffer, &old_name, &info,
689 			     profile->disconnected);
690 	if (error)
691 		goto audit;
692 	error = aa_path_name(new_path, path_flags(profile, new_path),
693 			     new_buffer, &new_name, &info,
694 			     profile->disconnected);
695 	if (error)
696 		goto audit;
697 
698 	error = -EACCES;
699 	state = aa_dfa_match(rules->policy->dfa,
700 			     rules->policy->start[AA_CLASS_MOUNT],
701 			     new_name);
702 	state = aa_dfa_null_transition(rules->policy->dfa, state);
703 	state = aa_dfa_match(rules->policy->dfa, state, old_name);
704 	perms = *aa_lookup_perms(rules->policy, state);
705 
706 	if (AA_MAY_PIVOTROOT & perms.allow)
707 		error = 0;
708 
709 audit:
710 	error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name,
711 			    old_name,
712 			    NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
713 			    &perms, info, error);
714 	if (error)
715 		return ERR_PTR(error);
716 
717 	return aa_get_newest_label(&profile->label);
718 }
719 
720 int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label,
721 		 const struct path *old_path,
722 		 const struct path *new_path)
723 {
724 	struct aa_profile *profile;
725 	struct aa_label *target = NULL;
726 	char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
727 	int error;
728 
729 	AA_BUG(!label);
730 	AA_BUG(!old_path);
731 	AA_BUG(!new_path);
732 
733 	old_buffer = aa_get_buffer(false);
734 	new_buffer = aa_get_buffer(false);
735 	error = -ENOMEM;
736 	if (!old_buffer || !new_buffer)
737 		goto out;
738 	target = fn_label_build(label, profile, GFP_KERNEL,
739 			build_pivotroot(subj_cred, profile, new_path,
740 					new_buffer,
741 					old_path, old_buffer));
742 	if (!target) {
743 		info = "label build failed";
744 		error = -ENOMEM;
745 		goto fail;
746 	} else if (!IS_ERR(target)) {
747 		error = aa_replace_current_label(target);
748 		if (error) {
749 			/* TODO: audit target */
750 			aa_put_label(target);
751 			goto out;
752 		}
753 		aa_put_label(target);
754 	} else
755 		/* already audited error */
756 		error = PTR_ERR(target);
757 out:
758 	aa_put_buffer(old_buffer);
759 	aa_put_buffer(new_buffer);
760 
761 	return error;
762 
763 fail:
764 	/* TODO: add back in auditing of new_name and old_name */
765 	error = fn_for_each(label, profile,
766 			audit_mount(subj_cred, profile, OP_PIVOTROOT,
767 				    NULL /*new_name */,
768 				    NULL /* old_name */,
769 				    NULL, NULL,
770 				    0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
771 				    error));
772 	goto out;
773 }
774